How to I renew a new domain certificate and prevent down time when the old cert. expired?

winnie_leung
Tera Contributor

‎06-19-2014 03:54 AM

Dear Gurus,

 

We are doing implementation on ServiceNow and using the SAML 2.0 external authentication from Windows AD. Currently, the certificate is uploaded in the Certificate session and the system is up and running. However, as the certificate will expire one year later and no one will be able to logon after the certificate expired. Is there any way I can upload the new certificate before the old one expired? Looks like there can only be one certificate entry? And if the old certificate expired, users can no longer login to the system, how do we renew the certificate in ServiceNow? Thanks!

 

Best Regards,

Winnie

Labels:
0 Helpfuls
  • 3,590 Views
13 REPLIES 13

Jim Coyne
Kilo Patron

‎06-19-2014 10:20 PM

Just replace the old certificate with a new one before it expires.   You do not have to wait for it to expire.   You would typically do it outside of business hours to avoid any downtime, which would be negligible.


0 Helpfuls

winnie_leung
Tera Contributor
In response to Jim Coyne

‎06-22-2014 07:43 PM

If the old certificate is replaced before it expired, then the user will not be able to login until the new certificate effective, right? So we should replace it after the office hour just the day before the new certificate is effective, right?


0 Helpfuls

Jim Coyne
Kilo Patron
In response to winnie_leung

‎06-23-2014 07:21 AM

Use a certificate that is already valid with a start date before the date you update the certificates.


0 Helpfuls

winnie_leung
Tera Contributor
In response to Jim Coyne

‎06-23-2014 11:40 PM

Yes. I am also trying to find a way to generate a new certificate before the old one expired. In my testing, I just set Windows' clock to a future time so that the certificate renew automatically. It is because if I just manually create a new cert., I could not find a way to have the new cert. binding to ADFS.


0 Helpfuls

jonathonbarton
Mega Expert
In response to winnie_leung

‎06-24-2014 01:54 PM

Winnie,



This is the process we just went through at DIA...there are two sides of the equation for us. The SAML Cert on the SN Instance, and the Cert that's installed on our SSO server. They need to match.



1) Install your new certificate on your SN instance(s) as 'SAML 2.0 - NEW'


2) Set up a small maintenance window for the cut over.


3) Create a local user (Users -> New) with a different username scheme than normal (i.e. Jonathon.barton instead of bartonj) and an example.com email address (adminuser@example.com)


4) Assign that user Admin privileges, or add them to your ServiceNow Admins Assignment Group.


Wait...


On the night of the cutover:


1) Swap to the new Certificate on your SAML/SSO server.


2) Log into your SN Instance with the credentials for the local Admin user at <your instance URL>/side_door.do


3) Go to the SAML Certificates.


4) Rename your existing SAML Certificate to "SAML 2.0 - OLD"


5) Rename your "SAML 2.0 - NEW" Certificate to "SAML 2.0"


6) Log out of your Local Admin account and start hammering your SAML login. It should 'pop' and be functional within 3-5 minutes depending on a few local variables.


7) Conclude your Maintenance Window.



It took us 35 minutes to do the whole process, and it only took that long because I forgot to give the local account I created Admin Roles, so I had to have our ADFS team back out to the old certificate for a minute so I could grant the local Admin the proper role while signed in from an ADFS/SSO account... *DOH*



If I hadn't had a derpy moment, we'd have been in and out in 10 minutes.